Create a Custom URL Category (PAN-OS & Panorama)
Focus
Focus
Advanced URL Filtering

Create a Custom URL Category (PAN-OS & Panorama)

Table of Contents


Create a Custom URL Category (PAN-OS & Panorama)

  1. Select ObjectsCustom ObjectsURL Category.
  2. Add or modify a custom URL category, and give the category a descriptive Name.
  3. Set the category Type to either Category Match or URL List:
    • URL List—Add URLs that you want to enforce differently than the URL category to which they belong. Use this list type to define exceptions to URL category enforcement or to define a list of URLs as belonging to a custom category. Consult URL Category Exceptions for guidelines on creating URL list entries.
      By default, the firewall automatically appends a trailing slash (/) to domain entries ( example.com) that do not end in a trailing slash or asterisk (*). The trailing slash prevents the firewall from assuming an implicit asterisk to the right of the domain. In non-wildcard domain entries, the trailing slash limits matches to the given domain and its subdirectories. For example, example.com ( example.com/ after processing) matches itself and example.com/search.
      In wildcard domain entries (entries using asterisks or carets), the trailing slash limits matches to URLs that conform to the specified pattern. For example, to match the entry *.example.com, a URL must strictly begin with one or more subdomains and end with the root domain, example.com; news.example.com is a match, but example.com is not because it lacks a subdomain.
      We recommend manually adding trailing slashes to clarify the intended matching behavior of an entry for anyone who inspects your URL list. The trailing slash is invisible if added by the firewall. URL Category Exceptions discusses the trailing slash and matching behavior in further detail.
      To disable this feature, go to DeviceSetupContent-IDURL Filtering. Then, deselect Append Ending Token. If you disable this feature, you may block or allow access to more URLs than intended. URL Category Exceptions (PAN-OS 10.1 and earlier) describes the firewall’s behavior when this feature is disabled.
    • Category Match—Provide targeted enforcement for websites that match a set of categories. The website or page must match all the categories defined in the custom category.
  4. Click OK to save the custom URL category.
  5. Select ObjectsSecurity ProfilesURL Filtering and Add or modify a URL Filtering profile.
    Your new custom category displays under Custom URL Categories:
  6. Decide how you want to enforce Site Access and User Credential Submissions for the custom URL category. (To control the sites to which users can submit their corporate credentials, see Prevent Credential Phishing.)
  7. Attach the URL Filtering profile to a Security policy rule to enforce traffic that matches that rule.
    Select PoliciesSecurityActions and specify the Security policy rule to enforce traffic based on the URL Filtering profile you just updated. Make sure to Commit your changes.
    You can also use custom URL categories as Security policy rule match criteria. In this case, you do not define site access for the URL category in a URL Filtering profile. After creating a custom category, go to the Security policy rule to which you want to add the custom URL category (PoliciesSecurity). Then, select Service/URL Category to use the custom URL category as match criteria for the rule.